Patent Document 1 shows an example of a conventional firewall processing. In such a conventional technology, a pre-filtering module is provided to ease the burden on the firewall. The pre-filtering module performs a limited set of actions with regard to packets, according to whether the packets are received from a connection which has been previously permitted by the firewall. If the packets are received from such a permitted connection, then the pre-filtering module forwards the packets to their destination, optionally performing one or more actions on the packets. Otherwise, the packets are forwarded to the firewall for handling. Once the firewall has transferred responsibility of the pre-filtering module for the connection, or “off-loaded” the connection, the firewall does not receive further packets from this connection, i.e., the connection is closed, until a timeout occurs for the connection, or a packet is received with a particular session-control field value indicating that the session is finished.
An example of access control in the conventional VPN connection will be described. FIG. 10 is a block diagram showing the configuration of an example of the conventional remote access system. By the provision of the firewall, the access of traffic is limited, which accesses to a LAN 20 from remote terminals via a VPN access server 410, to a particular server 300. Such a system (FIG. 10) can be configured by combining general VPN access means and a commercial firewall device. In FIG. 10, a filter device 500 corresponds to the firewall device. The firewall device 500 refers to policies using its firewall function and determines whether traffic is permitted to pass or not. For instance, a configuration disclosed in Patent Document 1 may be employed as the filter device 500.    [Patent Document 1] Japanese Patent Kohyo Publication No. JP-P2003-525557A